diff --git a/deploy/example-webhook/.helmignore b/deploy/example-webhook/.helmignore deleted file mode 100644 index daebc7d..0000000 --- a/deploy/example-webhook/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/deploy/example-webhook/Chart.yaml b/deploy/example-webhook/Chart.yaml deleted file mode 100644 index 7451d21..0000000 --- a/deploy/example-webhook/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -appVersion: "0.0.1" -description: cert-manager webhook solver for ACME DNS01 challenge via DNSimple -name: cert-manager-webhook-dnsimple -version: 0.0.1 -home: https://github.com/jahanson/cert-manager-webhook-dnsimple -sources: - - https://github.com/jahanson/cert-manager-webhook-dnsimple -maintainers: - - name: Joseph Hanson - email: joe@veri.dev - url: https://hsn.dev \ No newline at end of file diff --git a/deploy/example-webhook/templates/_helpers.tpl b/deploy/example-webhook/templates/_helpers.tpl deleted file mode 100644 index 4006c22..0000000 --- a/deploy/example-webhook/templates/_helpers.tpl +++ /dev/null @@ -1,52 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "dnsimple-webhook.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "dnsimple-webhook.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "dnsimple-webhook.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "dnsimple-webhook.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "dnsimple-webhook.fullname" .) }} -{{- end -}} - -{{- define "dnsimple-webhook.rootCAIssuer" -}} -{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }} -{{- end -}} - -{{- define "dnsimple-webhook.rootCACertificate" -}} -{{ printf "%s-ca" (include "dnsimple-webhook.fullname" .) }} -{{- end -}} - -{{- define "dnsimple-webhook.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "dnsimple-webhook.fullname" .) }} -{{- end -}} - -{{- define "dnsimple-webhook.tokenSecretName" -}} -{{- default (include "dnsimple-webhook.fullname" .) (.Values.dnsimple.tokenSecretName) -}} -{{- end -}} \ No newline at end of file diff --git a/deploy/example-webhook/templates/apiservice.yaml b/deploy/example-webhook/templates/apiservice.yaml deleted file mode 100644 index 9388116..0000000 --- a/deploy/example-webhook/templates/apiservice.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.{{ .Values.groupName }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "dnsimple-webhook.servingCertificate" . }}" -spec: - group: {{ .Values.groupName }} - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: {{ include "dnsimple-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} - version: v1alpha1 \ No newline at end of file diff --git a/deploy/example-webhook/templates/deployment.yaml b/deploy/example-webhook/templates/deployment.yaml deleted file mode 100644 index 4c3cb23..0000000 --- a/deploy/example-webhook/templates/deployment.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "dnsimple-webhook.fullname" . }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "dnsimple-webhook.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ include "dnsimple-webhook.name" . }} - release: {{ .Release.Name }} - spec: - serviceAccountName: {{ include "dnsimple-webhook.fullname" . }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - --secure-port={{ .Values.containerport }} - - --tls-cert-file=/tls/tls.crt - - --tls-private-key-file=/tls/tls.key -{{- if .Values.logLevel }} - - --v={{ .Values.logLevel }} -{{- end }} - env: - - name: GROUP_NAME - value: {{ .Values.groupName | quote }} - ports: - - name: https - containerPort: {{ .Values.containerport }} - protocol: TCP - livenessProbe: - httpGet: - scheme: HTTPS - path: /healthz - port: https - readinessProbe: - httpGet: - scheme: HTTPS - path: /healthz - port: https - volumeMounts: - - name: certs - mountPath: /tls - readOnly: true - resources: -{{ toYaml .Values.resources | indent 12 }} - volumes: - - name: certs - secret: - secretName: {{ include "dnsimple-webhook.servingCertificate" . }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} \ No newline at end of file diff --git a/deploy/example-webhook/templates/pki.yaml b/deploy/example-webhook/templates/pki.yaml deleted file mode 100644 index 25b76e0..0000000 --- a/deploy/example-webhook/templates/pki.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "dnsimple-webhook.selfSignedIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - selfSigned: {} - ---- - -# Generate a CA Certificate used to sign certificates for the webhook -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "dnsimple-webhook.rootCACertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "dnsimple-webhook.rootCACertificate" . }} - duration: 43800h # 5y - issuerRef: - name: {{ include "dnsimple-webhook.selfSignedIssuer" . }} - commonName: "ca.dnsimple-webhook.cert-manager" - isCA: true - ---- - -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "dnsimple-webhook.rootCAIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ca: - secretName: {{ include "dnsimple-webhook.rootCACertificate" . }} - ---- - -# Finally, generate a serving certificate for the webhook to use -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "dnsimple-webhook.servingCertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "dnsimple-webhook.servingCertificate" . }} - duration: 8760h # 1y - issuerRef: - name: {{ include "dnsimple-webhook.rootCAIssuer" . }} - dnsNames: - - {{ include "dnsimple-webhook.fullname" . }} - - {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }} - - {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}.svc \ No newline at end of file diff --git a/deploy/example-webhook/templates/rbac.yaml b/deploy/example-webhook/templates/rbac.yaml deleted file mode 100644 index 5d51b7b..0000000 --- a/deploy/example-webhook/templates/rbac.yaml +++ /dev/null @@ -1,116 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "dnsimple-webhook.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} ---- -# Grant the webhook permission to read the api-token Secret in the specified namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: {{ .Release.Namespace | quote }} - name: {{ include "dnsimple-webhook.fullname" . }}:access-secret -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "dnsimple-webhook.fullname" . }}:access-secret - namespace: {{ .Release.Namespace | quote }} -subjects: - - kind: ServiceAccount - name: {{ include "dnsimple-webhook.fullname" . }} - namespace: {{ .Release.Namespace | quote }} -roleRef: - kind: Role - name: {{ include "dnsimple-webhook.fullname" . }}:access-secret - apiGroup: rbac.authorization.k8s.io ---- -# Grant the webhook permission to read the ConfigMap containing the Kubernetes -# apiserver's requestheader-ca-certificate. -# This ConfigMap is automatically created by the Kubernetes apiserver. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader - namespace: kube-system - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ include "dnsimple-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -# apiserver gets the auth-delegator role to delegate auth decisions to -# the core apiserver -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ include "dnsimple-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -# Grant cert-manager permission to validate using our apiserver -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: - - {{ .Values.groupName }} - resources: - - '*' - verbs: - - 'create' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ .Values.certManager.serviceAccountName }} - namespace: {{ .Values.certManager.namespace }} \ No newline at end of file diff --git a/deploy/example-webhook/templates/service.yaml b/deploy/example-webhook/templates/service.yaml deleted file mode 100644 index 1f3534e..0000000 --- a/deploy/example-webhook/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "dnsimple-webhook.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "dnsimple-webhook.name" . }} - chart: {{ include "dnsimple-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.containerport }} - protocol: TCP - name: https - selector: - app: {{ include "dnsimple-webhook.name" . }} - release: {{ .Release.Name }} \ No newline at end of file diff --git a/deploy/example-webhook/values.yaml b/deploy/example-webhook/values.yaml deleted file mode 100644 index 65b155b..0000000 --- a/deploy/example-webhook/values.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# The GroupName here is used to identify your company or business unit that -# created this webhook. -# For example, this may be "acme.mycompany.com". -# This name will need to be referenced in each Issuer's `webhook` stanza to -# inform cert-manager of where to send ChallengePayload resources in order to -# solve the DNS01 challenge. -# This group name should be **unique**, hence using your own company's domain -# here is recommended. -groupName: acme.jahanson.com - -certManager: - namespace: cert-manager - serviceAccountName: cert-manager -# logLevel: 3 -dnsimple: - token: "" -clusterIssuer: - email: name@example.com - -image: - repository: git.hsn.dev/jahanson/cert-manager-webhook-dnsimple - tag: "0.0.3" - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: ClusterIP - port: 443 -containerport: 8443 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m -# memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} \ No newline at end of file